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Sessions in Web Applications wW 


e A web session is a sequence of HTTP request 
and response transactions associated to the 
same user 


e Modern and complex web applications require to 
retain information or keep the state of each user 
for the duration of multiple requests 


e Sessions provide the ability to establish variables, 
such as access rights and localization settings, 
which will apply to every and each interaction a 
user has with the web application until she 
terminates her session 
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Session Management in Web-Apps @ 


e HTTP is a stateless protocol (RFC2616) 


e Session tracking capabilities built on top of 
HTTP (session IDs or tokens) 
e Key & core component of web-apps: 


7) 
= 
2 
7) 


Are there any security risks? O 


Session 
eege Access Control 


Authentication 
Management 
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OWASP Top 10 2010 


e The Top 10 Most Critical Web Application Security Risks: 


OWASP Top 10 — 2007 (Previous) OWASP Top 10 — 2010 (New) 
A2- Injection Flaws A1- Injection 
A1 - Cross Site Scripting (XSS) A2 — Cross-Site Scripting (XSS) 
A4 — Insecure Direct Object Reference A4 — Insecure Direct Object References 
AS — Cross Site Request Forgery (CSRF) A5 — Cross-Site Request Forgery (CSRF) 


<was T10 2004 A10 — Insecure Configuration Management> A6 — Security Misconfiguration (NEW) 


A8 — Insecure Cryptographic Storage A7 — Insecure Cryptographic Storage 

A10 — Failure to Restrict URL Access A8 — Failure to Restrict URL Access 

A9 — Insecure Communications A9 — Insufficient Transport Layer Protection 

<not in T10 2007> A10 — Unvalidated Redirects and Forwards (NEW) 
A3 — Malicious File Execution <dropped from T10 2010> 

A6 — Information Leakage and Improper Error Handling _ <dropped from T10 2010> 


http://owasptop10.googlecode.com/files/OWASP Top 10 - 2010.pdf 
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WASC Threat Clasification v2.0 @ 


e WASC-18: Credential 4 Session Prediction 


— Session ID disclosure and/or interception 
— Session ID prediction or brute-forcing 
— Session hijacking (sidejacking) 


e| WASC-37: Session Fixation 


e WASC-47: Insufficient Session Expiration 


http://www.webappsec.org/projects/threat/ 
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Session Fixation 


e Discovered and/or publicized at the end of 
2002 by Mitja KolSek 
— Obtaining vs. “Fixing” a valid session ID 


e The attacker fixes the session ID before the 
victim logs in to the target web-app 


e Types: permissive and strict session mgmt. 
e State-of-the-art (after 9 years)? 


http://www.acrossecurity.com/papers/session_fixation. pdf 
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What Session Fixation Should Be? e 


Obsession & 
An habit of activity 
or practice 


http://daretobedomestic.blogspot.com/2010/07/fixation-friday-fitness-and-arms.html 
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Session Fixation Discovery = 


e Evaluate session tracking pre and post- 
authentication (and compare) 


— Identify the session ID transport or exchange 
mechanism (web interception proxy) 


— Get a valid session ID (pre/post-authentication) 
— Fix the session ID playing the victim user role 
— Authenticate into the target web-app 

— Analyze the response post-authentication 


Same session ID, or no session ID, in the response? 
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Session ID Exchange (1) wW 


e Multiple mechanisms are available in 
HTTP to maintain session state 


e Session ID sent as a... 
— Cookie (standard HTTP header) 
— URL parameter (URL rewritting) — RFC 2396 
— URL argument: GET request (URL rewriting) 
— Body argument: POST request 
— Hidden form field (HTML forms) 
— Proprietary HTTP header 
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Session ID Exchange (2) wW 


e Cookie (standard HTTP header): 
— Cookie: 1d=012345,; … 
e URL parameter: (URL rewriting) 
— https://portal.example.com/private;id=0123457... 


e URL argument (GET request): 
— https://portal.example.com/private?id=012345&... 
e Body argument (POST request): 
= OSO 13458. 
e Hidden form field (HTML): 
— <INPUT TYPE=“HIDDEN” NAME="id"” VALUE="012345”> 
e Proprietary HTTP header: 
= Portal-Session-1D: id=012345 
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Session ID Exchange 
Used vs. Accepted 


e Method used by the application vs. 
method(s) accepted by the application 
e Example: 


— Application uses cookies to exchange IDs, but 
also acepts session IDs in URLs 
e Can use both: automatic URL rewriting 
e Clients w/o cookie capabilities or not accepting them 
— Session ID disclosure 


— Facilitates session fixation attacks 
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session Fixation Discovery Summary @ 


HTTP request (w/o session ID) H (pre-authentication) 
HTTP response (session ID) aa 


HTTP request (token) 


Session specific data 
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The Attacker is After the... 


http://www fullsailbrewing.com/client/session-landing-page3.png 
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Session Fixation Exploitation = 


e Active attack for session hijacking and user 
impersonation 


— Targeted attacks against sensitive users 
— Indiscriminate attacks as any legitimate user 


e Unauthorized access (or privilege escalation 
attacks) as victim user 


e Fixation and exploitation phases 
— Wait till the victim user authenticates 


Copyright © 2011 Taddong S.L. l Ta d d O n g www.taddong.com 


Session Fixation Attacks 


http://online worldbank_ dom 
/login.jsp?sessionid=1234 


O GET /login_jsp?sessionid=1234 p 
© username & password r 


online.worldbank.dom 


http://www.acrossecurity.com/papers/session_fixation.pdf 
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Attack Vectors (1) 


e Web references or links (URLs): 


— Social engineering tricks: entice user to follow 
the link with the attacker's session ID 


https://portal.example.com/private;sessionid=0123457”... 
e HTTP meta tags (e.g. cookies): 


— Cannot be disabled in web browsers 


https://portal.example.com/<meta%20http-equiv=Set-Cookie 
%20content="SESSIONID=012345;%20path=/;..."> 


e Untrusted client shared environments 
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Attack Vectors (2) 


e Web traffic interception & manipulation: 


— MitM attacks over unencrypted HTTP traffic to 
add or replace legitimate session IDs 


— Any exchange mechanisms (single request) 
Set-Cookie: SESSIONID=012345; expires=Friday, 17-May-13 


18:45:00 GMT; ... 


e Cross-subdomain cooking: (design) DNS 


— “domain” cookie attribute from vuln servers 
Set-Cookie: SESSIONID=012345; domain=.example.com); ... 
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Attack Vectors (3) 


e HTTP response splitting: 
— Inject session IDs (as HTTP headers) 
— E.g. HTTP redirection 


REQ: https://portal.example.com/login\r\nSet-Cookie: 
SESSIONID=012345\r\nDummy-Header: 

RESP: 

HTTP/1.1 302 Found 

Server: Vulnerable Server 1.0 

Location: https://portal.example.com/login 
Set-Cookie: SESSIONID=012345 

Dummy-Header: /login 
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Attack Vectors (4) 


Cross-Site Scripting (XSS): 
— Set the session IDs through JavaScript 


— Target web applications (or subdomain apps) 
— Persistent and reflective XSS 


httos://portal.example.com/search?q=<script> 
document.cookie="SESSIONID=012345;%20path=/; 


%20domain=.example.com";</script> 
e SQL injection: 


— Session management database (subtle attacks) 
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Session Fixation Benefits wW 


e Bigger attack window 
— Initial fixation occurs pre-authentication 
— Victim user authenticates (long time afterwards) 
— Attack is exploited post-authentication (active) 
e Extended attack lifetime 
— Persistent cookies (e.g. 10 years) 
— Web application terminates the session 


— Session ID remains on the user browser waiting 
for the session to be resumed (or re-launched) 
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Session Fixation Exploitation 
Summary 


= 2 KL Vulnerable 
Victim user 


Attack vector(s): combined & target dependant 
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Case Studies 
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Three Case Studies 


e From real-world penetration tests 
— Past two years: 2009-2010 


— Three different session fixation vulnerabilities 
on three separate target web environments 


e How they were discovered & exploited 
e Real impact 

Vulnerability disclosure timeline 
Protections 
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| I DISCOVERED A 
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NET SECURITY 


ACTUALLY. THATS 
NOT MY JOB. BUT 
| ILL INFORM OUR 
| NETWORK MANAGE- 
| MENT GROUP. 
bh 


Copyright © 2011 Taddong S.L. 


Discovering Security Vulnerabilities @ 
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Case Study #1 
Joomla! Open-Source CMS 
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#1 Summary 


e Session fixation in Joomla!, a widely used 
open-source CMS Zait 


e Affected versions: 1.5.x — 1.5.15 = Joomiar 
e Vulnerability ID: 20100423 (TAD-2010-001 ) 

e Notified: November 2009 es 

e Release date: April 2010 
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#1 Discovery and Exploitation wW 


Target HTTPS-only web application 

— Public & private sections (registered users) 

— Built-in Joomla! core session management 

— Authentication: e-National ID card or user/pass 
e MD5 hashes for session ID and value 

— Ignore it: meaning 4 purpose are not required 
— Discovered through a blackbox pen-test but... 
— Source-code available: whitebox pen-test 
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#1 Impact 


e Open-source CMS 


— Non-profit organizations, academic institutions, 
and non-business related and ... 


— ... business critical web-applications 
e Commercial companies and governments 


e Standalone, source-code customizations, and other 
frameworks (internally and publicly) 


e All 1.5.x Joomla! versions up to 1.5.15 
— Depending on criticality of web application 
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#1 Vulnerability Disclosure Timeline @ 


e Lessons learned from vulnerability 
notifications, handling, and disclosure 
— Definitely, open for improvement!! 

e Advisory says reported on March 25, 2010, 
when it should say Nov 2009 
e “The Seven Deadly Sins of Security 
liant Reporting” blog post 
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#1 Protections 


e Web applications based on Joomla! must 
upgrade to the latest Joomla! version 
(1.5.16 or later) 
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A 


Case Study #2 
Commercial Web Application Server 


UPDATED | 


: Taddong 


#2 Summary 


e Session fixation vulnerability on a web-app 
based on Oracle/Bea WebLogic Portal/Server 
— HTTP vs. HTTPS misbehavior 


+ Affected versions: “J2EE web-apps” 7 hea 


e Vulnerability: Misconfiguration ORACLE: 
e Notified: December 2010 Others? 


eg? Ze, 


e Release date: Today! - March 2011 
J2EE web application deployment best practices 
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#2 Discovery and Exploitation (1) @ 


e Complex & recently redesigned web-app 
e Public section + private section (auth) 
e Java-based cookie (JSESSIONID) 
— Pre-authentication +50 chars 
— “domain” & “path” attributes & random 
Set-Cookie: JSESSIONID=Fz5f...qMal; 


domain=.example.com; path=/ 
e Authentication (POST & HTTPS & cookie): 
https://portal.example.com/private/miPortal 
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#2 Discovery and Exploitation (2) @ 


e Successful authentication (post-auth): 
Set-Cookie: _WL_AUTHCOOKIE_JSESSIONID=GAID... 


vQ14; path=/; secure 


e Any previous value is renewed 
— WL_AUTHCOOKIE JSESSIONID 


e Very common scenario: two cookies 
— Pre-auth (unsecure): always (www, portal, etc) 
— Post-auth (secure): portal only (SSL) & renewed 


Session ID (authenticated users) = JSESSIONID + 
WL AUTHCOOKIE JSESSIONID 
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#2 Discovery and Exploitation (3) @ 


e All links from “www” to “portal” are HTTPS 
— But HTTP is also allowed in “portal” 

e What is used for session ID verification when 
accessing “authenticated resources”? 
— Common sense: both cookies (! in reality) 

e HTTPS behavior: Missing or 
1. Both cookies: OK ak 
2. JSESSIONID bad: redirect to login & renewed 
3. AUTH_JSESSIONID bad: 401 Basic”? 
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#2 Discovery and Exploitation (4) @ 


HTTP behavior: 


— Once authenticated, HTTPS requires both 
— HTTP only makes use of JSESSIONID 
e All resources available through HTTP S 4 


JSESSIONID is enough to associate the 2 
web request (HTTP) to an auth session 


e Remember, JSESSIONID is not renewed 
e Discovered on WebLogic Portal version 10.3 


Even simpler attacks as JSESSIONID is disclosed via HTTP 
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#2 Impact 


e Three possible scenarios: 


— High: commercial web-app server found 
vulnerable (all web-apps) 


— Mid: vulnerability due to misconfiguration of the 
commercial web-app server 


How easy is to introduce the wrong setting? 


— Low: only the specific web-app it was discovered 
in is vulnerable 


e Even if not 0-day, subtle sample of HT TP(S) 
and session management misconfiguration 
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WebLogic HTTPS Enforcement (1) 


e web.xml: 


<user-data-constraint> 
<description>SSL not required</description> 


<transport-guarantee>NONE</transport-guarantee> 
</user-data-constraint> 


e HTTPS is not enforced by WebLogic 
— User dependent: “http://" or “https://" links 
— NONE: HTTPS not enforced (HTTP allowed) 
— CONFIDENTIAL: Ensure confidentiality 


SSL 
— INTEGRAL: Ensure integrity TLS 
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WebLogic HTTPS Enforcement (2) @ 


e HTTPS on the web or web-app server(s)? 
— Apache 2.2.x vs. WebLogic Portal 10.3 


e If HTTPS is not enforced by the WebLogic 
configuration (“NONE”), then: 
— Because resources are available though HTTP 
— ...and therefore, the secure cookie will never be 
sent by the web browser 
e WL AUTHCOOKIE JSESSIONID 
— ... JSESSIONID is the only ID required to 
associate requests to authenticated sessions 
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WebLogic HTTPS Enforcement (3) @ 


e Be careful with the exceptions in web.xml: 


<web-app> ... | 
<security-constraint> Default is 
<web-resource-collection> NONE for all: 
<web-resource-name>All</web-resource-name> url-pattern = * 
<url-pattern>/</url-pattern> 
</web-resource-collection> 
<user-data-constraint> 
<transport-guarantee>CONFIDENTIAL</transport-guarantee> 
</user-data-constraint> 
</security-constraint> 
<security-constraint> ... 
<url-pattern>/public/*</url-pattern>... 
<transport-guarantee>NONE</transport-guarantee> 


</web-app> 


Copyrig ? : 42 


#2 Vulnerability Disclosure Timeline @ 


e Vendor notified in early December 2010 
— Quick analysis & limited target information 
— Conclusion: Specific to target environment 


Mid-February 2011: full configuration details 
— Re-analyzed for confirmation 


Early/Mid-March 2011: 
— Conclusion: HTTPS misconfiguration € lack of 
session ID regeneration (developer's hands) 


Web-app source code for in-depth analysis and ratification? 


¿ Taddong www.taddong.com 
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#2 Protections (1) 


e Separate public 4 private web environments 
— Server, IP, hostname, and domain 
— Session management infrastructure 

e Pen-testers must try this!! (lessons learned) 
— HTTP vs. HTTPS inconsistencies 
— Session management verifications (# cookies) 

e Even if available only through HTTPS? 

e Security-related developer's documentation 

improvements (session fixation & HTTPS) 


Credit: Oracle April 2011 CPU 
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#2 Protections (2) 
HTTPS Secure Cookie 


e Default in config.xml (even if not defined): 


<WebServer Name=”"server” AuthCookieEnabled="true"/> 


e WebLogic server instance sends a new 
secure cookie for protected resources: 
— WL AUTHCOOKIE JSESSIONID 


e Securely access HTTPS resources in a 
user session (even initiated using HTTP) 


It is mandatory to set both settings: <transport-guarantee> (for 
SSL/TLS) and AuthCookieEnabled (default) 
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#2 Protections (3) 
Authentication Options 


e Programmatic authorization/security: 
— Developer custom code via login() API 

e E.g. weblogic.security.services.Authentication.login(h); 

— Must take into account ID regeneration manually 


¢ Declarative authorization/security: 
— WebLogic built-in authentication (Servlet 
Container) - E.g. <auth-constraint> 


— JSESSIONID is automatically regenerated after 
authentication 


http://download.oracle.com/docs/cd/E13222 01/wls/docs103/ 
security/thin_client.html 
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#2 Protections (4) 
WebLogic Session Fixation © 


e WebLogic Server provides the following API 
to regenerate the session ID after a 
successful authentication: 


servietAuthentication.generateNewSession|D(request); 


e Security on the web developer's hands 


e Documentation must include best practices 
— Will be added as a result of this discovery 
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#2 Protections (5) 
HTTPS & Auth Enforcement © 


e Set both simultaneously in web.xml: 


<web-app> ... 
<security-constraint> 
<web-resource-collection> 
<web-resource-name>All</web-resource-name> 
<url-pattern>/</url-pattern> 
</web-resource-collection> 
1 <user-data-constraint> 
<transport-guarantee>CONFIDENTIAL</transport-guarantee> 
</user-data-constraint> 
2 <auth-constraint> 


<role-name>authenticateduser</role-name> User-data & 
</auth-constraint> auth 
</security-constraint> constraints 


<login-config> 
<auth-method>FORM</auth-method>... 


Copyrig </web-app> 48 


#2 Protections (6) 
Summary 


e Too many options & too much flexibility! 


e Recommended best practices: 

— All sensitive resources must be protected by 
HTTPS (and not accessible via HT TP) at the 
web application server level (e.g. WebLogic) 

e Use the default secure authentication cookie 

— Enforce HTTPS & authentication altogether 

— Java servlets must invalidate the session (thus 
renew the session ID) just after completing 
authentication 

e Programmatically or declaratively (default) 
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#2 Protections (7) 
Automatic”? 


e Could we thoroughly link the custom web-app 
authentication code and session management 
capabilities to always enforce HTTPS and session 
ID renewal? 

e Default framework behavior vs. developer's code 
e At the industry level (specifications & implementations) 


Session Secure 


Authentication Management ee 


Pre-Auth 
Sessions 


OI 
D. 
uis 


How to securely link these three components? 
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#2 Protections (8) ii 
Industry standards interpretations ~ 


e Java Servlet Specification (J2EE) - Defaults 

— Sessions have an application scope 

e Share the same session 

e “7.3. Session Scope’ (Java Servlet Spec v3.0 — pg.57) 
— Requirement: HTTP & HTTPS on the same app 
— Standard document description (.XML) 

e Independent authentication and encryption elements 
— Specifications vs. security best practices 

e Not all combinations are desired Aenean 


i Encryption 
— lt is all about protected resources!! Session mgmt. 


See also “Java Servlet Spec” for case #3 on whitepaper 
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A 


Case Study #3 
World's Leader in Business Software 
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#3 Summary 


e Session fixation in the SAP J2EE Engine 
affecting the core SAP NetWeaver platform 


e Affected versions: 6.40 - 7.20 SAPA 


e Vuln ID: SAP Security Note 1310561 
(TAD-2011-002) 


e Notified: July 2009 
e Release date: December 2010 (SAP SMP) 
https://websmp130.sap-ag.de/sap/support/notes/1310561 
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#3 Discovery and Exploitation (1) @ 


e Large penetration test (net, web-app, wi-fi) 
e Some of the target servers were the Intranet 
website and the SAP systems 
— Critical business processes and activities 
e This website contained a link (used by 
employees) to the SAP Portal (HTTP) 
— http(s):/fintranet.example.com (NTLM auth) 
— http://portal.example.com (SAP NW Portal) 
e SAP Portal redirects to HTTPS version 
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#3 Discovery and Exploitation (2) e 


e HTTP 307: “Temporary Redirect” 
— https://portal.example.com/irj/portal 

e The common & “innocent” HTTP redirection 
discloses all the session cookies: (network traffic) 
—saplb *, PortalAlias 4 JSESSIONID 

e Even if the reference is HTTPS, the lack of the 
“secure” attribute makes possible to MitM it and 
relay fictitious HTTP to HTTPS (e.g. SSLstrip) 

e Target SAP Portal supported client-based digital 
certificates (smart card ID) or user/password auth 
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#3 Discovery and Exploitation (3) @ 


e Pen-tester obtains a valid session ID (pre) 


e The session ID is “fixed” in the victim 
browser (ARP poisoning & traffic control) 


— MitM by injecting the session ID in the cookie 
headers of the HTTP response (307 redirect) 


e The user authenticates in the SAP Portal 
— Session ID does not change (session fixation) 


e Pen-Tester gets full access to victim's 
session (business critical data and actions) 
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#3 Discovery and Exploitation (4) 


= = 


Acceso a Sistemas SAP - SAP NetWeaver Portal - Mozilla Firefox X 


File Edit View History Bookmarks Tools Help 
e] https://portal. irj/portal 


Q - i ive- i | i i < i - es te 


PSS ET TS Portal del Empleado 
AAA SÉ SAP 


p a ee TE) a Sistemas SAP 


| Historial, 
D 
Sistemas SAP 
= Acceso SAP Económico/Financiero Acceder alos diferentes Sistemas SAP (Economico Financiero, Recursos Humanos, Compras por Catalogo, 
< E Acceso a SAP R/3 Business Information Warehouse) 


Acceder a la maquina de SAP P/3 (Economico-Financiero) 


Acceso SAP Recursos Humanos 
Acceso a SAP HP 
Acceder a la maquina de SAP HP (Pecursos Humanos) 


Acceso SAP Business Warehouse 
Acceso aSAP BW 
Acceder a la maquina de SAP BW (Business Warehouse) 


Acceso SAP Business Warehouse Presupuestación 
Acceso a SAP BW Presupuestación 
Acceder a la maquina de SAP BW - Presupuestación 
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Session eg | 


http://4.bp.blogspot.com/_qu-NsGz9y5E/SdfD1 QbBY5I/AAAAAAAABX0/cyMTSOyME-A/s400/The_Session_Logo.jpg 
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#3 Discovery and Exploitation (5) @ 


e Attacker only had to reuse the following 
specific set of target cookies: 


Cookie: 

saplb_*=(J2EE01234567)01234567; 
PortalAlias=portal; 
JSESSIONID=(J2EE01234567) 
ID0123456789DB01234567890123456789End; 


MYSAPSSO2=AjEx...(very long string)...ewCw%3D; 
SAPWP_active=1 
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#3 Discovery and Exploitation (6) @ 


SAP NW Portal version 6.4.200607310245: 
— Server: SAP Web Application Server (ICM) 
— Server: SAP J2EE Engine/6.40 

— PortalVersion:"6.4.200607310245” 


e SAP Portal session IDs available pre- 
authentication 


e Post-authentication, session IDs do not 
change (session fixation) 


e Choose targets selectively (business role) 
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#3 Impact (1) 


Hijack any SAP user (or admin) session 

— Unauthorized access to SAP Portal and other 
SAP applications and modules 

— SAP NetWeaver is SAP’s integrated technology 
platform & technical foundation for all SAP apps 

— Key business users (target core business) 

e Real-world impact: who could be affected”? 

— SAP AG: world's leader in enterprise biz SW 

— +109,000 customers in 120 countries 

— +140,000 installations & +2,400 cert partners 
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SAP Architecture = 
User adaptation 


Flexibility, 
extensibility 


Business 
insights 


Industry core 


processes 
On-demand il 

Horizontal core extensions All-in-One 
processes 

, SAP NetWeaver — Process Integration — 
Integration Master Data Management — Information Lifecycle Management 

Large Midsize Small 
Enterprises Companies Businesses 
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#3 Impact (2) 


e Direct impact of software-based and web 
services-based business activities of thousands 
of organizations and companies worldwide 


e Session fixation might impact web-app design 
— In-depth architecture analysis € 3"“-parties & redesign 
— Minor change can break other components 
— E.g. User impersonation between applications 
e SSO (Single Sign On) or session management tricks 
— E.g. Software components that receive and use IDs 
e Without capabilities to discern if it is valid or not 


Bypass the most advanced authentication mechanisms 
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#3 Impact (3) 


e SW maintenance & support strategy: 7-2 
— / years mainstream + 2 years extended 
— Fixes for new & legacy versions (production) 


Security Response Process has been enhanced and aligned 
across all product areas: 

Monthly Patch Day introduced in September 2010. 

Service Marketplace supports crediting external researchers 
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#3 Vulnerability Disclosure Timeline (1) e 


Complexity of modern web architectures 
and broad vulnerability scope = 1,5 years 
Reported on early July 2009 & ratified 

— First deadline: 2 months (best case scenario) 
Mid Sep 09 difficulties identified (stability) 
Nov 09: estimated release on Jan/Feb 10 
— Responsible disclosure (plans) & real impact 
— Initial technical solution being tested 


Meanwhile environments remain vulnerable... 
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#3 Vulnerability Disclosure Timeline (2) e 


ae End Jan 10: solution still not available 

— Issue escalated internally 

— Several months required (all affected releases) 
» e Mar 10: fixes for all cases expected +Sep 10 

— Issues found on legacy releases 

— Partial fixes for specific CUs under evaluation 
“e Aug 10: meeting date for Nov 10 (disclosure) 
“e Dec 10: vuln & fix releases (CUs & partners) 
“e Mar"): implementation time of 3 months 
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SAP Disclosure Guidelines (1) wW 


e SAP disclosure guidelines details: 

— Published after this specific finding 

— “Since the integrity and security of business 
operations is crucial for businesses in all 
industries, SAP as a provider of business 
software is absolutely committed to 
maintaining the highest possible level of 
security within its products.” 

— What is the right balance between full security 
and fast disclosu re? Other researchers can find it: 


I= motivations (see case #1) 
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SAP Disclosure Guidelines (2) wW 


Fix and vuln disclosure details and timing: 


PLEASE GIVE SAP SUFFICIENT TIME TO DEVELOP SUITABLE FIXES 


Fixing security vulnerabilities can be a long and arduous process as we work to develop a patch, ensure its compatibility with all 
relevant software versions, run comprehensive tests to ensure that the fixes run well and do not have any side-effects, and provide it to 


our customers. 
not only to the latest version but also for many older versions 


= As a vendor of business software we provide security fixes 
oroughly test feasible patches for a broad range of product versions, 


software products. This means that we need to develop anc 
whi 


PLEASE DO NOT PUBLICIZE VULNERABILITIES UNTIL SAP CUSTOMERS HAVE HAD TIME TO DEPLOY FIXES 


=" The deployment of patches for SAP enterprise systems is usually more complicated than a software upgrade on a consumer PC. 
Depending on the nature of the vulnerability, the deployment of patches often is not only done by an automated update; in some cases 
it requires manual configuration work in the system. 

=" Some of our customers also have regular patching cycles, for instance on a — or a quarterly basis. 


In light of these circumstances, we ask all security researchers to gi om ficient time to implement patches in their SAP 


systems. As a rule of thumb, we suggest respecting an implementation ti time of three months. We ask all security researchers to not 


disseminate any kind of information or tools that would help to exploit the vulnerability during that time. 


New SAP security program: highlight security Is the all or nothing approach the 
notes, periodic releases & credit right approximation? 
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#3 Protections (1) 


Monthly Patch Day (since Sep 2010) 
SAP ACK to security researchers: 


Taddong, Raul Siles, SAP Security Note 1310561 


< SAP Security Note 1310561 Third oldest, afier 


1175239 (related) & 
— December 2010 UA 


— https://websmp130.sap-ag.de/sap/support/notes/ 
1310561 (SAP Service sait se 
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#3 Protections (2) 


< Enable “SessionldRegenerationEnabled” 

— SAP Security Note 1310561 

— Web Container Service property 

— Two cookies required to identify sessions: 
JSESSIONID & JSESSIONMARKID (“secure”) 

— The new “secure” session ID is renewed on 
every successful login 

— Disabled by default but... 

— Enabled in +7.11 SP06 & all SPs 7.20 & 7.30 

— Specific scenarios may require extra steps 
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#3 Protections (3) 


Use HTTPS-only links & remove HTTP 
support in SAP Portal 


Enable “SystemCookiesHTTPSProtection” 

— SAP Security Notes 1019335 & 1020365 

— HTTP Provider Service property 

— Sets the “secure” attribute for session and load 
balancing cookies (JSESSIONID & saplb) 

— Available in 6.40 SP21 & 7.0 SP14 

— Disabled by default 


Vendor conservative settings & backward 
compatibility. Security teams!! 
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#3 Protections (4) 


e Enable “SessionIPProtectionEnabled” 


— Web Container Service property 
e Manages J2EE web components 
— HTTP session cannot be accessed from 
different IP addresses. Only requests from the 
IP addr that started the session are processed 
— Disabled by default 


— If front proxy or load balancer is used 
e Configure the “ClientloHeaderName’ property of the 
HTTP Provider Service (e.g. relay “X-Forwarded-For” 
header) 
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A 


Conclusions 
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session Fixation Protections ww 


e Renew session ID after privilege level changes 


e Lack of link between authentication and session 
management capabilities (best practices only) 
— Web developer's hands (e.g. PHP or Java or .NET...) 


e Limit accepted session tracking mechanisms 
e HTTPS everywhere 

e Session ID available only post-authentication 
e Bind session ID to other user properties 

e Isolate critical web-apps on its own domain 
e Very restrictive cookie attributes 
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Conclusions (1) 


e Session fixation still prevalent in 2010 
— Open-source projects, commercial web application 
frameworks, and mission critical business platforms 
e Thousands of critical and business-related 
web environments affected worldwide 


¢ Entry point to get unauthorized access to 
business critical data and infrastructures 
— Targeted, criminal, and corporate espionage 


e Multiple exploitation methods available 
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Conclusions (2) 


e Session attacks can bypass even the most 
advanced authentication mechanisms 

e Session ID is equivalent to... 
— Password 
— Passphrase — 
— Digital certificates ` 4 


— Smart cards 
— Fingerprint \ > 


— Eye retina 


s4 aa Ngan, 
2 tat LS 
Së e 
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Conclusions (3) 


e Impact on the web-app design and on multiple 
modules (and 3"“-party components) 


— Complexity of web-apps and core nature of 
session management infrastructures 


— Minor misconfiguration introduces vulnerability? 
— How easy is to fix session fixation? 
— Plan and test early in design and development 


e Promote (continuous) testing for session fixation 
flaws, development awareness, and improve 
vulnerability handling and disclosure 
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Future Research 


e Session fixation state-of-the-art on the wild 


— Widely used Internet services and selected 
sample of critical web applications 


— Valid user account on the target web-app 

e Manual techniques vs. semi-automated tool 
for discovery and basic exploitation 
— Automate verification and extend testing 

e Authentication and privilege level changes 
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Questions? © 


I will use Google before asking dumb questions. I will use Google before 
asking dumb questions. I will use Google before asking dumb questions. 
y Él a 

E , | 

I will use Google before asking dumb questions. | will use Google before 
asking dumbo questions. 1 will use Google before asking dumb questions. 
www. melovens.nl before asking dumb questions. I will use Google before 
asking dumb questions. I will use Google before asking dumb questions. 


I will use Google before asking dumb questions. I will use Googles fore 
asking dumbo questions. I will use Google before asking dumb qu 

I will use Google before asking dumb questions. I will use Goog, 

asking dumb questions. I will use Google before asking dumb a» 

I will use Google before asking dumb questions. 1 will use Geog 
asking dumb questions. I will use Google before asking dumb es 
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